Forum: Typo Visible admin urls?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
501dac4c25141b9ecffecf6819fe086b?d=identicon&s=25 Pawel Szymczykowski (makenai)
on 2006-03-20 20:31
(Received via mailing list)
Hi all,

I was looking at my logs today and noticed a bunch of hits like this:

64.238.127.181 - - [20/Mar/2006:08:41:01 -0800] "GET
/articles/tag/credit HTTP/1.1" 200 9386 "-" "Java/1.5.0_06" "-"
64.238.127.181 - - [20/Mar/2006:08:41:29 -0800] "GET
/admin/content/edit/38 HTTP/1.1" 302 119 "-" "Java/1.5.0_06" "-"
64.238.127.181 - - [20/Mar/2006:08:41:32 -0800] "GET
/admin/content/edit/39 HTTP/1.1" 302 119 "-" "Java/1.5.0_06" "-"
64.238.127.181 - - [20/Mar/2006:08:41:35 -0800] "GET
/admin/content/edit/34 HTTP/1.1" 302 119 "-" "Java/1.5.0_06" "-"
64.238.127.181 - - [20/Mar/2006:08:41:37 -0800] "GET
/admin/content/edit/37 HTTP/1.1" 302 119 "-" "Java/1.5.0_06" "-"

(Nevermind that this particular bot doesn't seem to follow robots.txt)

It kind of freaked me out, so I looked into the issue a little bit
more and noticed this in the code:

<div class="post" onmouseover="if (getCookie('is_admin') == 'yes') {
Element.show('admin_article'); }"
onmouseout="Element.hide('admin_article');" >
  <a href="/admin/content/edit/44" class="admintools"
id="admin_article" style="display: none">edit</a>

Is there any reason this stuff should be visible to someone who isn't
even logged in? Can't we hide it server side or something? OK - bad
idea because of the caching - but how about at least obscuring the
link with javascript or something? I don't mean something spammy with
lots of string concatenation, but how about just a function in a
peripheral .js file that does a document.write of the link?

I realize that the link won't do anything without authentication (as
shown in the redirect from the logs), but it still makes me a little
bit paranoid that it's there. Why show all of your houseguests the
exact location of the floor safe if you don't have to?

OK. That's all - sorry, I'm going to take a deep breath and calm down.
Am I overreacting, or does anyone else find this a bit scary?

Thanks for listening.

-Pawel
6451ee8093c9cedc94f6c813b4dde2c5?d=identicon&s=25 Kevin Ballard (Guest)
on 2006-03-21 03:54
(Received via mailing list)
Well, anybody who's ever looked at typo will be able to figure out
the path pretty easily anyhow. If your login is secure, trying to
obscure the path here isn't going to do anything at all. That would
be like closing the window while the door is wide open.
This topic is locked and can not be replied to.